Chapter 4 Directory Proxy Server Bugs Fixed and Known Problems

This chapter contains important, product-specific information available at the time of release of Directory Proxy Server.

This chapter includes the following sections:

• Bugs Fixed in Directory Proxy Server 6.3

• Known Problems and Limitations in Directory Proxy Server

Bugs Fixed in Directory Proxy Server 6.3

This section lists the bugs fixed since the last release of Directory Proxy Server.

6666615

In some cases, a client connection based on the bind DN criteria can be badly classified and an incorrect policy may be applied.

6359601

When ACIs are configured, Directory Proxy Server has been seen not to return the same results as a search directly on the LDAP data source. The Directory Proxy Server does not return any entries if the search filter contains an attribute to which access is denied.

6561078

Cannot use ldapmodify to delete a JDBC attribute if the attribute description is case-sensitive.

6490847

Established connections not kept alive.

6631652

Configuring a join-data-view with a filter join rule does not work.

6618078

When configuring a maximum connection count (max-client-connections) per client IP in the Directory Proxy Server, the number of simultaneous connections is not counted correctly.

6614510

The first request after a database stop gives no result and no error message.

6599352

The Directory Proxy Server does not start when a remote data source port is unreachable.

6560473

The Directory Proxy Server does not support object creation in SQL during a modify operation.

6597589

Adding a JDBC attribute to an entry that does not exist in JDBC does not add the entry to JDBC table.

6527869

Search doesn't work on a join view if using attributes from secondary view in the search filter.

6357160

The dpconf command does not reject new line and line feed characters in property values. Avoid using new line and line feed characters when setting property values.

6500298

When using the jvm-args flag of the dpadm command and restarting the server, you cannot successfully allocate more than 2 GB memory for the Java virtual machine.

6570523

Directory Proxy Server does not proxy the Password Modify Extended operation, which is required by the ldappasswd command to reset user passwords.

Known Problems and Limitations in Directory Proxy Server

This section lists known problems and limitations at the time of release.

Directory Proxy Server Limitations

This section lists product limitations.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product files can in some cases prevent the software from operating properly. Only change file permissions when following instructions in the product documentation, or following instructions from Sun support.

To workaround this limitation, install products and create server instances as a user having appropriate user and group permissions.

Self-signed server certificates cannot be renewed.

When creating a self-signed server certificate, make sure you specify a validity long enough that you do not have to renew the certificate.

Directory Proxy Server does not ensure atomicity with the join data view write operations.

To ensure atomicity, do not use the join data view for write operations. If you perform write operations on join data view, use an external mechanism to prevent or detect inconsistencies. You can monitor inconsistencies by monitoring Directory Proxy Server error log.

Known Directory Proxy Server Issues in 6.3

This section lists the known issues that are found at the time of Directory Proxy Server 6.3 release.

6646107 / 6643181

For a join-data-view operation that joins an LDAP and a JDBC data view, when adding, replacing or modifying an attribute with a value that is too long for the database to store, the value gets truncated and the following data source specific problems are triggered:

• In mySQL, the database row the attribute belongs appears twice.

• In DB2, certain database tables become unavailable until the Directory Proxy Server is restarted.

6609603

When a new data source is added to a data source pool, server restart is required.

6607075

For a join view of both LDAP and JDBC, with a uid in the join rule, and where the JDBC view contains an extra attribute, an ldapsearch operation for that attribute returns not one but all entries from the server.

6640597

Directory Proxy Server does not change the DN of an ADD operation when the operation follows a referral in which the basedn is different from that of the original machine. Attempting an ADD against a Directory Proxy Server instance that has a Directory Server instance that is set to follow referrals, as opposed to just forwarding referrals, results in the ADD being rejected on the referred server because of an incorrect basedn.

Using the ldapmodify command to executing the ADD directly against the Directory Server instances allows the ADD to work.

6637608

When running a large number of searches through the Directory Server Enterprise Edition, there is stress on the Directory Proxy Server, and ArrayIndexOutOfBounds and NegativeArraySize exceptions can occur.

6659381

The Directory Proxy Server may hang when used with Java 1.6 in 64–bit mode. Using the Java 1.5 removes this risk. For more information, see Software Dependency Requirements.

6597598

When performing modifications using the modrate tool against a joint view, with both LDAP and JDBC, nullpointer exceptions occur when using more than 1 thread. The errors are similar to the following:

java.lang.NullPointerException com.sun.directory.proxy.server.JoinDataView. processModifyRequest(JoinDataView.java:916) com.sun.directory.proxy.server.JoinDataViewOpContext.processModifyRequest (JoinDataViewOpContext.java:243) com.sun.directory.proxy.server.ModifyOperation. processOperation(ModifyOperation.java:502 com.sun.directory.proxy.server .WorkerThread.runThread(WorkerThread.java:150) com.sun.directory.proxy.util.DistributionThread.run (DistributionThread.java:225)

6639674

If the Directory Proxy Server configuration property allow-bind-operations is set to false, it is not possible to connect on an SSL port using the dpconf command line argument with the -–secure-port option. Connection by Start TLS (default) or by clear connection (the -–unsecured option) are still possible.

6642559

Writing virtual transformations does not work for the remove-attr-value transformation model.

6642578

Writing virtual transformations does not work as expected when an entry is modified.

5042517

The modify DN operation is not supported for LDIF, JDBC, join and access control data views.

6355714

Currently, getEffectiveRight control is supported only for LDAP data views and does not yet take into account ACIs local to the proxy.

6356465

Directory Proxy Server can reject ACIs that specify subtypes to the target attribute, such as (targetattr = "locality;lang-fr-ca").

6360059

Directory Proxy Server cannot resume the JDBC data source connection that is restored after the data source connection failure. Directory Proxy Server can resume the connection only after restarting the Directory Proxy Server instance.

6383532

Directory Proxy Server must be restarted when the authentication mode configuration is changed.

6386073

After generation of a CA-Signed Certificate request, when you refresh, the certificate is displayed as a self-signed certificate.

6388022

If the SSL port used by Directory Proxy Server is incorrect, after a secure search request on that port Directory Proxy Server may close all connections.

6649984

No warning is issued when you set a password of insufficient length for the certificate database. If the password is too short, it is accepted by the Directory Service Control Center. Issuing the dpadm command with cert subcommands can then result in the commands hanging.

6390118

Directory Proxy Server fails to count the number of referral hops properly when configured to use authentication based on the client application credentials rather than proxy authorization.

6390220

It is possible to specify the base-dn property when creating a data view, but it is not possible to set the base-dn property to "", the root dse, after creating the data view.

6410741

Directory Service Control Center sorts values as strings. As a result, when you sort numbers in Directory Service Control Center, the numbers are sorted as if they were strings.

An ascending sort of 0, 20, and 100 results in the list 0, 100, 20. A descending sort of 0, 20, and 100 results in the list 20, 100, 0.

6547755

Directory Proxy Server instance with multi-byte characters in its path may fail to be created in DSCC, to start or perform other regular tasks.

Some of these issues can be resolved by using the charset that was used to create the instance. Set the charset using the following commands:

# cacaoadm list-params | grep java-flags java-flags=-Xms4M -Xmx64M # cacaoadm stop # cacaoadm set-param java-flags="-Xms4M -Xmx64M -Dfile.encoding=utf-8" # cacaoadm start

Use only the ASCII characters in the instance path to avoid these issues.

6439604

After configuring alerts, you must restart Directory Proxy Server for the change to take effect.

6461510

In Directory Proxy Server, referral hop limit does not work.

6447554

Directory Proxy Server fails to rename an entry moving to another data view when numeric or lexicographic data distribution is configured.

6458935

When working with join data views, Directory Proxy Server does not take data distribution algorithms in the views that make up the join.

To work around this issue, configure data distribution at the level of the join data view when using joins and data distribution together.

6469154

On Windows, the output of dsadm and dpadm commands, and help messages are not localized in Simplified and Traditional Chinese languages.

6469780

Creation of JDBC data source entries is not dynamically detected. If you create a JDBC server before creating a JDBC data view, the data view is ignored until the next restart of the server. After configuring a JDBC data source, therefore, you must restart Directory Proxy Server for the change to be detected.

6486578

For JDBC object classes, where one class, A, uses a table as secondary and another class, B, uses that same table as its only primary, then requests on B do not work. The Directory Proxy Server fails to ignore the filter-join-rule property when it is used in a primary table.

6488197

After installation and after server instance creation on Windows systems, the file permissions to the installation and server instance folder allow access to all users.

To work around this issue, change the permissions on the installations and server instance folders.

6488297

On Windows, DSCC initialization can only be performed by Administrator user

6490763

Access Manager, when accessing Directory Server through Directory Proxy Server, has been seen to encounter caching problems related to persistent searches after Directory Server is restarted.

To work around this issue, restart either Access Manager or Directory Proxy Server after restarting Directory Server.

For further fine tuning, you can increase the number of and delay between Access Manager attempts to reestablish persistent search connections. You can increase these parameters by changing the following properties in the AMConfig.properties file.

• Increase com.iplanet.am.event.connection.num.retries, which represents the number of attempts. The default is 3 attempts.

• Increase com.iplanet.am.event.connection.delay.between.retries, which represents the number of milliseconds delay between attempts. The default is 3000 milliseconds.

6490853

If you run a search using JDBC data view configured with DB2 database and there are large number of entries to be returned in the search result, an error might occur after returning 1,344 entries.

To overcome this limitation, increase the number of large packages by setting the value of the CLI/ODBC configuration keyword CLIPkg to a value up to 30. Even then the search result is limited to maximum of 11,712 Entries.

For more information, see DB2 documentation.

6491133

When creating a self-signed certificate using Directory Service Control Center, do not use multi-byte characters for the certificate names.

6491845

The default LDAP controls allowed through Directory Proxy Server are not displayed by Directory Service Control Center.

6493349

Directory Service Control Center removes commas when changing the DN for an existing excluded subtree, or alternate search base.

6494540

After enabling or disabling non secure LDAP access for the first time, you must restart Directory Proxy Server for the change to take effect.

6497547

Time limit and size limit settings work only with LDAP data sources.

6497992

After using the command dpadm set-flags cert-pwd-store=off, Directory Proxy Server cannot be restarted using Directory Service Control Center.

6501867

The dpadm start command has been seen to fail when used with a server instance name combining both ASCII and multi-byte characters.

6505112

When setting the data-view-routing-custom-list property on an existing connection handler, an error occurs with data view names containing characters that must be escaped, such as commas.

To work around this issue, do not give data views names that contain characters that must be escaped. For example, do not use data view names containing DNs.

6510583

Unlike previous versions, as stated in the manual page allowed-ldap-controls(5dpconf), Directory Proxy Server does not allow the server side sort control by default.

You can enable Directory Proxy Server support for the server side sort control by adding server-side-sorting to the list of allowed LDAP controls specified by the allowed-ldap-controls property.

$ dpconf set-server-prop \ allowed-ldap-controls:auth-request \ allowed-ldap-controls:chaining-loop-detection \ allowed-ldap-controls:manage-dsa \ allowed-ldap-controls:persistent-search \ allowed-ldap-controls:proxy-auth-v1 \ allowed-ldap-controls:proxy-auth-v2 \ allowed-ldap-controls:real-attributes-only \ allowed-ldap-controls:server-side-sorting

Notice that you must repeat the existing settings. Otherwise, only the server side sort control is allowed.

6511264

When using the DN renaming feature of Directory Proxy Server, notice that repeating DN components are renamed to only one replacement component.

Consider for example that you want to rename DNs that end in o=myCompany.com to end in dc=com. For entries whose DN repeats the original component, such as uid=userid,ou=people,o=myCompany.com,o=myCompany.com, the resulting renamed DN is uid=userid,ou=people,dc=com, and not uid=userid,ou=people,o=myCompany.com,dc=com.

6520368

The JDBC connection configuration to access Oracle 9 through Directory Proxy Server is not exactly as described in the documentation.

Consider the following configuration, with an Oracle 9 server listening on host myhost, port 1537 with the instance having system identifier (SID) MYINST. The instance has a database MYNAME.MYTABLE.

Typically, to configure access through to MYTABLE, set the following properties.

• On the JDBC data source, set db-name:MYINST.

• On the JDBC data source, set db-url:jdbc:oracle:thin:myhost:1537:.

• On the JDBC table, set sql-table:MYNAME.MYTABLE

If these settings do not work, configure access through to MYTABLE with the following settings.

• On the JDBC data source, set db-name:(CONNECT_DATA=(SERVICE_NAME=MYINST)))

• On the JDBC data source, set db-url:jdbc:oracle:thin:@(DESCRIPTION= (ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost)(PORT=1537)))

• On the JDBC table, set sql-table:MYNAME.MYTABLE

6527010

Directory Proxy Server cannot write JDBC attributes implying many-to-many (N:N) relationship between tables in the JDBC database.

6539650

Directory Proxy Server instances with multi-byte DN and created using DSCC, fail to start on Linux.

6542857

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, provided that the command dsadm enable service has never been called, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

... restart_on="none" type="service"> <service_fmri value="svc:/network/initial:default"/> </dependency> + <dependency name="nameservice" grouping="require_all" \ + restart_on="none" type="service"> + <service_fmri value="svc:/milestone/name-services"/> + </dependency> <exec_method type="method" name="start" exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

When you use Service Management Facility (SMF) in Solaris 10 to enable a server instance, the instance might not start when you reboot your system.

As a workaround, provided that the command dsadm enable service has never been called, add the following lines which are marked with + to /opt/SUNWdsee/ds6/install/tmpl_smf.manifest.

... restart_on="none" type="service"> <service_fmri value="svc:/network/initial:default"/> </dependency> + <dependency name="nameservice" grouping="require_all" \ + restart_on="none" type="service"> + <service_fmri value="svc:/milestone/name-services"/> + </dependency> <exec_method type="method" name="start" exec="%%%INSTALL_PATH%%%/bin/dsadm start --exec %{sunds/path}"...

If the dsadm enable service command has previously been called, the workaround is as follows:

1. Create a file containing the following content:

   select dps addpg nameservice dependency setprop nameservice/grouping = astring: require_all setprop nameservice/restart_on = astring: none setprop nameservice/type = astring: service setprop nameservice/entities = fmri: "svc:/milestone/name-services"

2. Execute the following command on the file:

   svccfg -f file

   If there are some instances in the maintenance state, run these commands:

   svcadm clear svc:/application/sun/dps:dps-{instancepath}

6547759

On HP-UX, if you access DSCC with multiple browser sessions set to different locales, DSCC might display some strings in a locale that is different from the locale set in the browser.

6551076

Console does not retrieve the backend status of the Directory Proxy Server instance if a machine has multiple host names.

6565106

If duplicate entries are present in RDBMS table matching a DN pattern found in JDBC object class, then duplicate subtree (non-leaf) nodes would be returned by Directory Proxy Server when search is performed against the JDBC data view. For example, if there is a DN pattern ou in a JDBC object class and there are duplicate entries (say, sales) present in the RDBMS column mapped to JDBC attribute ou, then there would be duplicate nodes like ou=sales present in the search result.

To resolve this issue, do the following:

1. Create an RDBMS view by taking the values from the table that contains the column mapped to ou JDBC attribute in such a way that there are no duplicated entries.

2. Replace the RDBMS table name with the RDBMS view name in the JDBC object class with the DN pattern ou. The limitation of this approach is that since RDBMS views are read-only, no values for the JDBC attribute ou could be added through Directory Proxy Server.

6573439

In DSCC, in the More View Options of an instance, the date shown under the Access Logs, Error Logs, and Audit Logs tabs is not localized.

6588319

In DSCC configured using Tomcat server, the title of the Help and Version pop-up windows displays the multi-byte strings garbled.

6590460

The string owner in the output of the dpadm show-cert dps-instance-path command is not translated in Simplified Chinese and Traditional Chinese.

6592543

The pop-up windows prompting the confirmation for stopping or unregistering servers display the doubled apostrophes in the French locale.